Pydio v8

Securing your installation

Pydio code is continuously audited by security experts, and should be resistant to the most common web attacks. But at some point, Pydio cannot fix holes created by a wrong server configuration. Here are some basic recommendations for securing your Pydio installation.

Protect your folders from direct web access

Under the main Pydio installation folder, the following folders contents must be hidden from the web server. It is by default the case if you are using Apache, as .htaccess files are part of the distribution.

pydio_install/conf

pydio_install/data/[all subfolders except “public”]. data/public/ is the default container for the “shared links” public files.

Note: concerning the .htaccess files under Apache, be sure to AllowOverride of the Limit directives on your web server (contact your Webmaster).

If you can, do not use the default “files” folder placed inside the distribution, but create a repository pointing to a folder outside your web “document root”.